CMMC Requirements Checklist

3 min read

CMMC (Cybersecurity Maturity Model Certification) is a model cybersecurity process managed and controlled by the Department of Defense (DoD). Business bidding for and delivering DoD contracts with controlled unclassified information (CUI) require certification under CMMC 2.0. for and delivering DoD contracts require certification under CMMC 2.0.

Many of the practices necessary for CMMC are in NIST SP 800-171 and NIST SP 800-172. Businesses working on Federal contracts will be familiar with the steps needed to implement those. CMMC adds a third-party assessment process from a DoD-certified entity that delivers CMMC certification. Critical Insight has an expert team who can assist your organization in preparing for CMMC certification.

CMMC 2.0 Overview

When working on federal contracts, compliance with NIST SP 800-171A security requirements is necessary. The role of CMMC is to certify Businesses that handle CUI for DoD contracts are following the NIST SP 800-171A requirements. The diagram below shows the CMMC 2.0 model (compared to the previous CMMC model).

(Source: Retrieved May 2022).

The CMMC certification level required will depend on the DoD project work and the contract type. You should note that many DoD contracts work on a subcontractor basis, and the lead contractors will appoint sub-contractors who report to them and not the DoD directly. These subcontractors will also need CMMC certification to work on the contracts.


Critical Insight CMMC Compliance Assistance

Every organization is unique, and therefore a customized approach is required to attain CMMC certification. Even though all organizations must meet the same CMMC security practices, what they each need to do will depend on their current environment and business processes.

Critical Insight can assist your business on the journey to NIST SP 800-171A compliance and CMMC 2.0 accreditation. We have the experts with the experience needed to determine your current security position. Together, we can then identify what you need to do, develop a plan to get there and work with you over time to ensure you remain compliant and ready to bid for and win DoD contracts.

Critical Insight Assistance

The flow diagram below outlines the steps in the process that an organization needs to follow on its CMMC certification journey. Critical Insight’s consultants can work with your team on all these steps except the final Certified CMMC Assessment. This last step needs to be done by an independent third party appointed by the DoD, who is different and separate from any cybersecurity supplier assisting the organization prepare. This separation ensures no conflict of interest in the certification process and that the DoD can ensure that the selected certification entities are independent.


Experience from working with multiple organizations on CMMC compliance shows that the items listed under Data Flow Analysis and Scope Assessment Boundary in the flow diagram above are the most time-consuming. A Gap Assessment gets undertaken when these data gathering and analysis stages are complete. Significant outputs emerge from the process: a Systems Security Plan (SSP) and a Plan of Actions & Milestones (POA&M). These inform and guide the gap assessment process to highlight any CMMC practices not implemented within the organization.

The Remediate Risks section of the CMMC Compliance Process flow is where any gaps highlighted are addressed. The length of time to plug the gaps will depend on their complexity, the budget available to spend on any new solutions required, and the timeline the organization needs to adhere to in urgent to bid for contracts that require CMMC accreditation.

Critical Insight Services

The cybersecurity services that Critical Insight offers enable organizations to improve their security posture to the point where the practices required by NIST SP 800-171A and CMMC are core to operations. The Defense Services Wheel shown in the Total Security Solutions section of the Critical Insight home page displays our complete service portfolio.

The services that are relevant to obtaining and retaining CMMC compliance accreditation are:

vCISO service to oversee:

  • Policy reviews
  • Change management
  • Vulnerability management
  • Continuous monitoring
  • Incident response and tabletop exercises
  • Risk assessments
  • Security assessments
  • Managed Detection and Response (MDR) delivery:
  • Network monitoring
  • Log management
  • Security Information and Event Management (SIEM)
  • Auditing
  • Gap Assessments, Security and Risk Assessments
  • Continuous Vulnerability Identification (CVI) and Vulnerability Management
  • Incident Response plans and tabletop exercises to simulate cyberattacks and response procedures.

Wherever you are on your CMMC compliance journey, Critical Insight can help you prepare for the accreditation you need for DoD contracts. Contact us using the form below to start a conversation about this or any other cybersecurity topic.

See Also:

The How-to-Guide to CMMC Compliance

What are the CMMC Levels?

Who Needs CMMC Certification?